For any pair $(X,Z)$ of correlated random variables we can think of $Z$ as a
randomized function of $X$. Provided that $Z$ is short, one can make this
function computationally efficient by allowing it to be only approximately
correct. In folklore this problem is known as \emph{simulating auxiliary
inputs}. This idea of simulating auxiliary information turns out to be a
powerful tool in computer science, finding applications in complexity theory,
cryptography, pseudorandomness and zero-knowledge. In this paper we revisit
this problem, achieving the following results:
  \begin{enumerate}[(a)] We discuss and compare efficiency of known results,
finding the flaw in the best known bound claimed in the TCC'14 paper "How to
Fake Auxiliary Inputs". We present a novel boosting algorithm for constructing
the simulator. Our technique essentially fixes the flaw. This boosting proof is
of independent interest, as it shows how to handle "negative mass" issues when
constructing probability measures in descent algorithms. Our bounds are much
better than bounds known so far. To make the simulator
$(s,\epsilon)$-indistinguishable we need the complexity $O\left(s\cdot
2^{5\ell}\epsilon^{-2}\right)$ in time/circuit size, which is better by a
factor $\epsilon^{-2}$ compared to previous bounds. In particular, with our
technique we (finally) get meaningful provable security for the EUROCRYPT'09
leakage-resilient stream cipher instantiated with a standard 256-bit block
cipher, like $\mathsf{AES256}$.Comment: Some typos present in the previous version have been correcte

A Buldas

AM Frieze

D Jetchev

K Pietrzak

K-M Chung

MG Luby

S Faust

S Vadhan

Y Dodis

Y Yu

English

arXiv

Maciej Skórski

Crossref

Simulating Auxiliary Inputs, Revisited

For any pair $(X,Z)$ of correlated random variables we can think of $Z$ as a randomized function of $X$. If the domain of $Z$ is small, one can make this function computationally efficient
by allowing it to be only approximately correct. In folklore this problem is known as _simulating auxiliary inputs_.
This idea of simulating auxiliary information turns out to be a very usefull tool, finding applications in complexity theory, cryptography, pseudorandomness and zero-knowledge. In this paper we revisit this problem, achieving the following results:

(a) We present a novel boosting algorithm for constructing the simulator. This boosting proof is of independent interest, as it shows how to handle  negative mass  issues when constructing probability measures by shifting distinguishers in descent algorithms.  Our technique essentially fixes the flaw in the TCC\u2714 paper  How to Fake Auxiliary Inputs .

(b) The complexity of our simulator is better than in previous works, including results derived from the uniform min-max theorem due to Vadhan and Zheng. To achieve $(s,\epsilon)$-indistinguishability we need the complexity $O\left(s\cdot 2^{5\ell}\epsilon^{-2}\right)$ in time/circuit size, which improve previous bounds by a factor of $\epsilon^{-2}$.
In particular, with we get meaningful provable security for the  EUROCRYPT\u2709 leakage-resilient stream cipher instantiated with a standard 256-bit block cipher, like $\mathsf{AES256}$.

Our boosting technique utilizes a two-step approach. In the first step we shift the current result (as in gradient or sub-gradient descent algorithms) and in the separate step we fix the biggest non-negative mass constraint violation (if applicable)

Maciej Skorski

Cryptology ePrint Archive

Simulating Auxiliary Inputs, Revisited

Abstract

Similar works

Full text

Available Versions

Crossref

Cryptology ePrint Archive